Pavel Kankovsky wrote: > > On Fri, 11 Jan 2002, Ed Moyle wrote: > > > I'm curious about the following: Does anyone know of an analysis of > > yarrow vs. the openssl PRNG (or any others), both from a security > > perspective and from a performance perspective? I guess openssl has > > had issues with predictability in the past, and I've heard yarrow is > > slow. I'd like to know if either of these "word on the street" > > statements have been quantified in any formal way, so as to allow the > > community at large to make an intelligent decision... > > We are doing a minireview of OpenSSL here at the Charles University > (but we are not a group of seasoned crypto experts doing a thourough > audit, therefore do not accept the following claims blindly). > > Its PRNG is not as sophisticated as Yarrow--in particular, it lacks > automatic reseeding from an external source of randomness--but it The application is expected to reseed as needed (for example, Apache-SSL has the SSLRandomFilePerConnection directive to enable this [http://www.apache-ssl.org/docs.html#SSLRandomFilePerConnection]). > appears to be quite good in its current form. The problems OpenSSH's > PRNG had in the past are real but the current implementation should > be secure as long as the underlying hash function is unbreakable > and the seed is unpredictable. > > I myself would also advise to reseed the PRNG in forked child processes > because someone clever might find a way to abuse the fact the only > difference between the parent's and the child's PRNG are pids (i.e. > small and in many cases known numbers) being mixed into their state. > But I am known for my paranoia. :) However, this is good advice. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 12:44:46 PST